--- /dev/null
+From 8bd29dbe03fc5b0f039ab2395ff37b64236d2f0c Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Sun, 11 Jan 2026 00:17:53 +0900
+Subject: media: as102: fix to not free memory after the device is registered in as102_usb_probe()
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit 8bd29dbe03fc5b0f039ab2395ff37b64236d2f0c upstream.
+
+In as102_usb driver, the following race condition occurs:
+```
+ CPU0 CPU1
+as102_usb_probe()
+ kzalloc(); // alloc as102_dev_t
+ ....
+ usb_register_dev();
+ fd = sys_open("/path/to/dev"); // open as102 fd
+ ....
+ usb_deregister_dev();
+ ....
+ kfree(); // free as102_dev_t
+ ....
+ sys_close(fd);
+ as102_release() // UAF!!
+ as102_usb_release()
+ kfree(); // DFB!!
+```
+
+When a USB character device registered with usb_register_dev() is later
+unregistered (via usb_deregister_dev() or disconnect), the device node is
+removed so new open() calls fail. However, file descriptors that are
+already open do not go away immediately: they remain valid until the last
+reference is dropped and the driver's .release() is invoked.
+
+In as102, as102_usb_probe() calls usb_register_dev() and then, on an
+error path, does usb_deregister_dev() and frees as102_dev_t right away.
+If userspace raced a successful open() before the deregistration, that
+open FD will later hit as102_release() --> as102_usb_release() and access
+or free as102_dev_t again, occur a race to use-after-free and
+double-free vuln.
+
+The fix is to never kfree(as102_dev_t) directly once usb_register_dev()
+has succeeded. After deregistration, defer freeing memory to .release().
+
+In other words, let release() perform the last kfree when the final open
+FD is closed.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: syzbot+47321e8fd5a4c84088db@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=47321e8fd5a4c84088db
+Fixes: cd19f7d3e39b ("[media] as102: fix leaks at failure paths in as102_usb_probe()")
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/as102/as102_usb_drv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/usb/as102/as102_usb_drv.c
++++ b/drivers/media/usb/as102/as102_usb_drv.c
+@@ -403,7 +403,9 @@ static int as102_usb_probe(struct usb_in
+ failed_dvb:
+ as102_free_usb_stream_buffer(as102_dev);
+ failed_stream:
++ usb_set_intfdata(intf, NULL);
+ usb_deregister_dev(intf, &as102_usb_class_driver);
++ return ret;
+ failed:
+ usb_put_dev(as102_dev->bus_adap.usb_dev);
+ usb_set_intfdata(intf, NULL);
--- /dev/null
+From 3b7da2b4d0fe014eff181ed37e3bf832eb8ed258 Mon Sep 17 00:00:00 2001
+From: Jeongjun Park <aha310510@gmail.com>
+Date: Sat, 10 Jan 2026 23:58:29 +0900
+Subject: media: hackrf: fix to not free memory after the device is registered in hackrf_probe()
+
+From: Jeongjun Park <aha310510@gmail.com>
+
+commit 3b7da2b4d0fe014eff181ed37e3bf832eb8ed258 upstream.
+
+In hackrf driver, the following race condition occurs:
+```
+ CPU0 CPU1
+hackrf_probe()
+ kzalloc(); // alloc hackrf_dev
+ ....
+ v4l2_device_register();
+ ....
+ fd = sys_open("/path/to/dev"); // open hackrf fd
+ ....
+ v4l2_device_unregister();
+ ....
+ kfree(); // free hackrf_dev
+ ....
+ sys_ioctl(fd, ...);
+ v4l2_ioctl();
+ video_is_registered() // UAF!!
+ ....
+ sys_close(fd);
+ v4l2_release() // UAF!!
+ hackrf_video_release()
+ kfree(); // DFB!!
+```
+
+When a V4L2 or video device is unregistered, the device node is removed so
+new open() calls are blocked.
+
+However, file descriptors that are already open-and any in-flight I/O-do
+not terminate immediately; they remain valid until the last reference is
+dropped and the driver's release() is invoked.
+
+Therefore, freeing device memory on the error path after hackrf_probe()
+has registered dev it will lead to a race to use-after-free vuln, since
+those already-open handles haven't been released yet.
+
+And since release() free memory too, race to use-after-free and
+double-free vuln occur.
+
+To prevent this, if device is registered from probe(), it should be
+modified to free memory only through release() rather than calling
+kfree() directly.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: syzbot+6ffd76b5405c006a46b7@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=6ffd76b5405c006a46b7
+Reported-by: syzbot+f1b20958f93d2d250727@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=f1b20958f93d2d250727
+Fixes: 8bc4a9ed8504 ("[media] hackrf: add support for transmitter")
+Signed-off-by: Jeongjun Park <aha310510@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/hackrf/hackrf.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/media/usb/hackrf/hackrf.c
++++ b/drivers/media/usb/hackrf/hackrf.c
+@@ -1485,7 +1485,7 @@ static int hackrf_probe(struct usb_inter
+ if (ret) {
+ dev_err(dev->dev,
+ "Failed to register as video device (%d)\n", ret);
+- goto err_v4l2_device_unregister;
++ goto err_v4l2_device_put;
+ }
+ dev_info(dev->dev, "Registered as %s\n",
+ video_device_node_name(&dev->rx_vdev));
+@@ -1513,8 +1513,9 @@ static int hackrf_probe(struct usb_inter
+ return 0;
+ err_video_unregister_device_rx:
+ video_unregister_device(&dev->rx_vdev);
+-err_v4l2_device_unregister:
+- v4l2_device_unregister(&dev->v4l2_dev);
++err_v4l2_device_put:
++ v4l2_device_put(&dev->v4l2_dev);
++ return ret;
+ err_v4l2_ctrl_handler_free_tx:
+ v4l2_ctrl_handler_free(&dev->tx_ctrl_handler);
+ err_v4l2_ctrl_handler_free_rx:
--- /dev/null
+From 5f8e73bde67e931468bc2a1860d78d72f0c6ba41 Mon Sep 17 00:00:00 2001
+From: Abd-Alrhman Masalkhi <abd.masalkhi@gmail.com>
+Date: Sat, 21 Feb 2026 13:56:18 +0100
+Subject: media: vidtv: fix pass-by-value structs causing MSAN warnings
+
+From: Abd-Alrhman Masalkhi <abd.masalkhi@gmail.com>
+
+commit 5f8e73bde67e931468bc2a1860d78d72f0c6ba41 upstream.
+
+vidtv_ts_null_write_into() and vidtv_ts_pcr_write_into() take their
+argument structs by value, causing MSAN to report uninit-value warnings.
+While only vidtv_ts_null_write_into() has triggered a report so far,
+both functions share the same issue.
+
+Fix by passing both structs by const pointer instead, avoiding the
+stack copy of the struct along with its MSAN shadow and origin metadata.
+The functions do not modify the structs, which is enforced by the const
+qualifier.
+
+Fixes: f90cf6079bf67 ("media: vidtv: add a bridge driver")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+96f901260a0b2d29cd1a@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=96f901260a0b2d29cd1a
+Tested-by: syzbot+96f901260a0b2d29cd1a@syzkaller.appspotmail.com
+Suggested-by: Yihan Ding <dingyihan@uniontech.com>
+Signed-off-by: Abd-Alrhman Masalkhi <abd.masalkhi@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/test-drivers/vidtv/vidtv_mux.c | 4 +-
+ drivers/media/test-drivers/vidtv/vidtv_ts.c | 50 +++++++++++++--------------
+ drivers/media/test-drivers/vidtv/vidtv_ts.h | 4 +-
+ 3 files changed, 29 insertions(+), 29 deletions(-)
+
+--- a/drivers/media/test-drivers/vidtv/vidtv_mux.c
++++ b/drivers/media/test-drivers/vidtv/vidtv_mux.c
+@@ -233,7 +233,7 @@ static u32 vidtv_mux_push_pcr(struct vid
+ /* the 27Mhz clock will feed both parts of the PCR bitfield */
+ args.pcr = m->timing.clk;
+
+- nbytes += vidtv_ts_pcr_write_into(args);
++ nbytes += vidtv_ts_pcr_write_into(&args);
+ m->mux_buf_offset += nbytes;
+
+ m->num_streamed_pcr++;
+@@ -363,7 +363,7 @@ static u32 vidtv_mux_pad_with_nulls(stru
+ args.continuity_counter = &ctx->cc;
+
+ for (i = 0; i < npkts; ++i) {
+- m->mux_buf_offset += vidtv_ts_null_write_into(args);
++ m->mux_buf_offset += vidtv_ts_null_write_into(&args);
+ args.dest_offset = m->mux_buf_offset;
+ }
+
+--- a/drivers/media/test-drivers/vidtv/vidtv_ts.c
++++ b/drivers/media/test-drivers/vidtv/vidtv_ts.c
+@@ -48,7 +48,7 @@ void vidtv_ts_inc_cc(u8 *continuity_coun
+ *continuity_counter = 0;
+ }
+
+-u32 vidtv_ts_null_write_into(struct null_packet_write_args args)
++u32 vidtv_ts_null_write_into(const struct null_packet_write_args *args)
+ {
+ u32 nbytes = 0;
+ struct vidtv_mpeg_ts ts_header = {};
+@@ -56,21 +56,21 @@ u32 vidtv_ts_null_write_into(struct null
+ ts_header.sync_byte = TS_SYNC_BYTE;
+ ts_header.bitfield = cpu_to_be16(TS_NULL_PACKET_PID);
+ ts_header.payload = 1;
+- ts_header.continuity_counter = *args.continuity_counter;
++ ts_header.continuity_counter = *args->continuity_counter;
+
+ /* copy TS header */
+- nbytes += vidtv_memcpy(args.dest_buf,
+- args.dest_offset + nbytes,
+- args.buf_sz,
++ nbytes += vidtv_memcpy(args->dest_buf,
++ args->dest_offset + nbytes,
++ args->buf_sz,
+ &ts_header,
+ sizeof(ts_header));
+
+- vidtv_ts_inc_cc(args.continuity_counter);
++ vidtv_ts_inc_cc(args->continuity_counter);
+
+ /* fill the rest with empty data */
+- nbytes += vidtv_memset(args.dest_buf,
+- args.dest_offset + nbytes,
+- args.buf_sz,
++ nbytes += vidtv_memset(args->dest_buf,
++ args->dest_offset + nbytes,
++ args->buf_sz,
+ TS_FILL_BYTE,
+ TS_PACKET_LEN - nbytes);
+
+@@ -83,17 +83,17 @@ u32 vidtv_ts_null_write_into(struct null
+ return nbytes;
+ }
+
+-u32 vidtv_ts_pcr_write_into(struct pcr_write_args args)
++u32 vidtv_ts_pcr_write_into(const struct pcr_write_args *args)
+ {
+ u32 nbytes = 0;
+ struct vidtv_mpeg_ts ts_header = {};
+ struct vidtv_mpeg_ts_adaption ts_adap = {};
+
+ ts_header.sync_byte = TS_SYNC_BYTE;
+- ts_header.bitfield = cpu_to_be16(args.pid);
++ ts_header.bitfield = cpu_to_be16(args->pid);
+ ts_header.scrambling = 0;
+ /* cc is not incremented, but it is needed. see 13818-1 clause 2.4.3.3 */
+- ts_header.continuity_counter = *args.continuity_counter;
++ ts_header.continuity_counter = *args->continuity_counter;
+ ts_header.payload = 0;
+ ts_header.adaptation_field = 1;
+
+@@ -102,27 +102,27 @@ u32 vidtv_ts_pcr_write_into(struct pcr_w
+ ts_adap.PCR = 1;
+
+ /* copy TS header */
+- nbytes += vidtv_memcpy(args.dest_buf,
+- args.dest_offset + nbytes,
+- args.buf_sz,
++ nbytes += vidtv_memcpy(args->dest_buf,
++ args->dest_offset + nbytes,
++ args->buf_sz,
+ &ts_header,
+ sizeof(ts_header));
+
+ /* write the adap after the TS header */
+- nbytes += vidtv_memcpy(args.dest_buf,
+- args.dest_offset + nbytes,
+- args.buf_sz,
++ nbytes += vidtv_memcpy(args->dest_buf,
++ args->dest_offset + nbytes,
++ args->buf_sz,
+ &ts_adap,
+ sizeof(ts_adap));
+
+ /* write the PCR optional */
+- nbytes += vidtv_ts_write_pcr_bits(args.dest_buf,
+- args.dest_offset + nbytes,
+- args.pcr);
+-
+- nbytes += vidtv_memset(args.dest_buf,
+- args.dest_offset + nbytes,
+- args.buf_sz,
++ nbytes += vidtv_ts_write_pcr_bits(args->dest_buf,
++ args->dest_offset + nbytes,
++ args->pcr);
++
++ nbytes += vidtv_memset(args->dest_buf,
++ args->dest_offset + nbytes,
++ args->buf_sz,
+ TS_FILL_BYTE,
+ TS_PACKET_LEN - nbytes);
+
+--- a/drivers/media/test-drivers/vidtv/vidtv_ts.h
++++ b/drivers/media/test-drivers/vidtv/vidtv_ts.h
+@@ -90,7 +90,7 @@ void vidtv_ts_inc_cc(u8 *continuity_coun
+ *
+ * Return: The number of bytes written into the buffer.
+ */
+-u32 vidtv_ts_null_write_into(struct null_packet_write_args args);
++u32 vidtv_ts_null_write_into(const struct null_packet_write_args *args);
+
+ /**
+ * vidtv_ts_pcr_write_into - Write a PCR packet into a buffer.
+@@ -101,6 +101,6 @@ u32 vidtv_ts_null_write_into(struct null
+ *
+ * Return: The number of bytes written into the buffer.
+ */
+-u32 vidtv_ts_pcr_write_into(struct pcr_write_args args);
++u32 vidtv_ts_pcr_write_into(const struct pcr_write_args *args);
+
+ #endif //VIDTV_TS_H
--- /dev/null
+From 0217c7fb4de4a40cee667eb21901f3204effe5ac Mon Sep 17 00:00:00 2001
+From: Jianhui Zhou <jianhuizzzzz@gmail.com>
+Date: Tue, 10 Mar 2026 19:05:26 +0800
+Subject: mm/userfaultfd: fix hugetlb fault mutex hash calculation
+
+From: Jianhui Zhou <jianhuizzzzz@gmail.com>
+
+commit 0217c7fb4de4a40cee667eb21901f3204effe5ac upstream.
+
+In mfill_atomic_hugetlb(), linear_page_index() is used to calculate the
+page index for hugetlb_fault_mutex_hash(). However, linear_page_index()
+returns the index in PAGE_SIZE units, while hugetlb_fault_mutex_hash()
+expects the index in huge page units. This mismatch means that different
+addresses within the same huge page can produce different hash values,
+leading to the use of different mutexes for the same huge page. This can
+cause races between faulting threads, which can corrupt the reservation
+map and trigger the BUG_ON in resv_map_release().
+
+Fix this by introducing hugetlb_linear_page_index(), which returns the
+page index in huge page granularity, and using it in place of
+linear_page_index().
+
+Link: https://lkml.kernel.org/r/20260310110526.335749-1-jianhuizzzzz@gmail.com
+Fixes: a08c7193e4f1 ("mm/filemap: remove hugetlb special casing in filemap.c")
+Signed-off-by: Jianhui Zhou <jianhuizzzzz@gmail.com>
+Reported-by: syzbot+f525fd79634858f478e7@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=f525fd79634858f478e7
+Acked-by: SeongJae Park <sj@kernel.org>
+Reviewed-by: David Hildenbrand (Arm) <david@kernel.org>
+Acked-by: Mike Rapoport (Microsoft) <rppt@kernel.org>
+Cc: Jane Chu <jane.chu@oracle.com>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: JonasZhou <JonasZhou@zhaoxin.com>
+Cc: Muchun Song <muchun.song@linux.dev>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: SeongJae Park <sj@kernel.org>
+Cc: Sidhartha Kumar <sidhartha.kumar@oracle.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/hugetlb.h | 17 +++++++++++++++++
+ mm/userfaultfd.c | 2 +-
+ 2 files changed, 18 insertions(+), 1 deletion(-)
+
+--- a/include/linux/hugetlb.h
++++ b/include/linux/hugetlb.h
+@@ -793,6 +793,23 @@ static inline unsigned huge_page_shift(s
+ return h->order + PAGE_SHIFT;
+ }
+
++/**
++ * hugetlb_linear_page_index() - linear_page_index() but in hugetlb
++ * page size granularity.
++ * @vma: the hugetlb VMA
++ * @address: the virtual address within the VMA
++ *
++ * Return: the page offset within the mapping in huge page units.
++ */
++static inline pgoff_t hugetlb_linear_page_index(struct vm_area_struct *vma,
++ unsigned long address)
++{
++ struct hstate *h = hstate_vma(vma);
++
++ return ((address - vma->vm_start) >> huge_page_shift(h)) +
++ (vma->vm_pgoff >> huge_page_order(h));
++}
++
+ static inline bool order_is_gigantic(unsigned int order)
+ {
+ return order > MAX_PAGE_ORDER;
+--- a/mm/userfaultfd.c
++++ b/mm/userfaultfd.c
+@@ -569,7 +569,7 @@ retry:
+ * in the case of shared pmds. fault mutex prevents
+ * races with other faulting threads.
+ */
+- idx = linear_page_index(dst_vma, dst_addr);
++ idx = hugetlb_linear_page_index(dst_vma, dst_addr);
+ mapping = dst_vma->vm_file->f_mapping;
+ hash = hugetlb_fault_mutex_hash(mapping, idx);
+ mutex_lock(&hugetlb_fault_mutex_table[hash]);
--- /dev/null
+From 4a4e0328edd9e9755843787d28f16dd4165f8b48 Mon Sep 17 00:00:00 2001
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+Date: Tue, 31 Mar 2026 09:47:21 +0900
+Subject: nilfs2: fix NULL i_assoc_inode dereference in nilfs_mdt_save_to_shadow_map
+
+From: Deepanshu Kartikey <kartikey406@gmail.com>
+
+commit 4a4e0328edd9e9755843787d28f16dd4165f8b48 upstream.
+
+The DAT inode's btree node cache (i_assoc_inode) is initialized lazily
+during btree operations. However, nilfs_mdt_save_to_shadow_map()
+assumes i_assoc_inode is already initialized when copying dirty pages
+to the shadow map during GC.
+
+If NILFS_IOCTL_CLEAN_SEGMENTS is called immediately after mount before
+any btree operation has occurred on the DAT inode, i_assoc_inode is
+NULL leading to a general protection fault.
+
+Fix this by calling nilfs_attach_btree_node_cache() on the DAT inode
+in nilfs_dat_read() at mount time, ensuring i_assoc_inode is always
+initialized before any GC operation can use it.
+
+Reported-by: syzbot+4b4093b1f24ad789bf37@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=4b4093b1f24ad789bf37
+Tested-by: syzbot+4b4093b1f24ad789bf37@syzkaller.appspotmail.com
+Fixes: e897be17a441 ("nilfs2: fix lockdep warnings in page operations for btree nodes")
+Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
+Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Viacheslav Dubeyko <slava@dubeyko.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nilfs2/dat.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/nilfs2/dat.c
++++ b/fs/nilfs2/dat.c
+@@ -524,6 +524,9 @@ int nilfs_dat_read(struct super_block *s
+ if (err)
+ goto failed;
+
++ err = nilfs_attach_btree_node_cache(dat);
++ if (err)
++ goto failed;
+ err = nilfs_read_inode_common(dat, raw_inode);
+ if (err)
+ goto failed;
hwmon-powerz-fix-use-after-free-on-usb-disconnect.patch
alsa-6fire-fix-use-after-free-on-disconnect.patch
bcache-fix-cached_dev.sb_bio-use-after-free-and-crash.patch
+wireguard-device-use-exit_rtnl-callback-instead-of-manual-rtnl_lock-in-pre_exit.patch
+media-as102-fix-to-not-free-memory-after-the-device-is-registered-in-as102_usb_probe.patch
+nilfs2-fix-null-i_assoc_inode-dereference-in-nilfs_mdt_save_to_shadow_map.patch
+media-vidtv-fix-pass-by-value-structs-causing-msan-warnings.patch
+media-hackrf-fix-to-not-free-memory-after-the-device-is-registered-in-hackrf_probe.patch
+mm-userfaultfd-fix-hugetlb-fault-mutex-hash-calculation.patch
--- /dev/null
+From 60a25ef8dacb3566b1a8c4de00572a498e2a3bf9 Mon Sep 17 00:00:00 2001
+From: Shardul Bankar <shardul.b@mpiricsoftware.com>
+Date: Tue, 14 Apr 2026 17:39:44 +0200
+Subject: wireguard: device: use exit_rtnl callback instead of manual rtnl_lock in pre_exit
+
+From: Shardul Bankar <shardul.b@mpiricsoftware.com>
+
+commit 60a25ef8dacb3566b1a8c4de00572a498e2a3bf9 upstream.
+
+wg_netns_pre_exit() manually acquires rtnl_lock() inside the
+pernet .pre_exit callback. This causes a hung task when another
+thread holds rtnl_mutex - the cleanup_net workqueue (or the
+setup_net failure rollback path) blocks indefinitely in
+wg_netns_pre_exit() waiting to acquire the lock.
+
+Convert to .exit_rtnl, introduced in commit 7a60d91c690b ("net:
+Add ->exit_rtnl() hook to struct pernet_operations."), where the
+framework already holds RTNL and batches all callbacks under a
+single rtnl_lock()/rtnl_unlock() pair, eliminating the contention
+window.
+
+The rcu_assign_pointer(wg->creating_net, NULL) is safe to move
+from .pre_exit to .exit_rtnl (which runs after synchronize_rcu())
+because all RCU readers of creating_net either use maybe_get_net()
+- which returns NULL for a dying namespace with zero refcount - or
+access net->user_ns which remains valid throughout the entire
+ops_undo_list sequence.
+
+Reported-by: syzbot+f2fbf7478a35a94c8b7c@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?id=cb64c22a492202ca929e18262fdb8cb89e635c70
+Signed-off-by: Shardul Bankar <shardul.b@mpiricsoftware.com>
+[ Jason: added __net_exit and __read_mostly annotations that were missing. ]
+Fixes: 900575aa33a3 ("wireguard: device: avoid circular netns references")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
+Link: https://patch.msgid.link/20260414153944.2742252-5-Jason@zx2c4.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireguard/device.c | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireguard/device.c
++++ b/drivers/net/wireguard/device.c
+@@ -411,12 +411,11 @@ static struct rtnl_link_ops link_ops __r
+ .newlink = wg_newlink,
+ };
+
+-static void wg_netns_pre_exit(struct net *net)
++static void __net_exit wg_netns_exit_rtnl(struct net *net, struct list_head *dev_kill_list)
+ {
+ struct wg_device *wg;
+ struct wg_peer *peer;
+
+- rtnl_lock();
+ list_for_each_entry(wg, &device_list, device_list) {
+ if (rcu_access_pointer(wg->creating_net) == net) {
+ pr_debug("%s: Creating namespace exiting\n", wg->dev->name);
+@@ -429,11 +428,10 @@ static void wg_netns_pre_exit(struct net
+ mutex_unlock(&wg->device_update_lock);
+ }
+ }
+- rtnl_unlock();
+ }
+
+-static struct pernet_operations pernet_ops = {
+- .pre_exit = wg_netns_pre_exit
++static struct pernet_operations pernet_ops __read_mostly = {
++ .exit_rtnl = wg_netns_exit_rtnl
+ };
+
+ int __init wg_device_init(void)
projects / thirdparty / kernel / stable-queue.git / commitdiff
